Add custom field at first place in message

Tags:

#1 matejrycek 4 years ago

Hi everyone,

I would like to add my custom field to log at first place in log. But if i added Exec $senderversion = "3.5.563"; the field will be at last place in log.

is there some way to add a field to the first place ?

My configuration and log sample are below.

Thanks for any answer.

<Extension _json>
    Module  xm_json
</Extension>

<Input eventlog>
	Module im_msvistalog
	Exec delete($EventTime);
	Exec delete($EventReceivedTime);
	Exec delete($SourceModuleName);
	Exec delete($SourceModuleType);
	Exec $senderversion = "3.5.563";
</Input>

<Output tcp_event>
	Module      om_tcp
    Host        198.19.254.112
    Port        514
	Exec to_json();
</Output>

<Route logmanager1>
	Path eventlog => tcp_event
</Route>

My logs now looks like this:

{"Hostname":"win_template.nxlog.matej","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":214127,"ProcessID":644,"ThreadID":3508,"Channel":"Security","Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN_TEMPLATE$\r\n\tAccount Domain:\t\tNXLOG\r\n\tLogon ID:\t\t0x241DC39F\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-18","TargetUserName":"WIN_TEMPLATE$","TargetDomainName":"NXLOG","TargetLogonId":"0x241dc39f","LogonType":"3","senderversion":"3.5.563"}

I would like to make the log look like this:

{"senderversion":"3.5.563","Hostname":"win_template.nxlog.matej","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":214127,"ProcessID":644,"ThreadID":3508,"Channel":"Security","Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN_TEMPLATE$\r\n\tAccount Domain:\t\tNXLOG\r\n\tLogon ID:\t\t0x241DC39F\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-18","TargetUserName":"WIN_TEMPLATE$","TargetDomainName":"NXLOG","TargetLogonId":"0x241dc39f","LogonType":"3"}

Permalink

#2 Zhengshi Nxlog ✓ 4 years ago

#1 matejrycek

Hi everyone, I would like to add my custom field to log at first place in log. But if i added Exec $senderversion = "3.5.563"; the field will be at last place in log. is there some way to add a field to the first place ? My configuration and log sample are below. Thanks for any answer. <Extension _json> Module xm_json </Extension> <Input eventlog> Module im_msvistalog Exec delete($EventTime); Exec delete($EventReceivedTime); Exec delete($SourceModuleName); Exec delete($SourceModuleType); Exec $senderversion = "3.5.563"; </Input> <Output tcp_event> Module om_tcp Host 198.19.254.112 Port 514 Exec to_json(); </Output> <Route logmanager1> Path eventlog => tcp_event </Route> My logs now looks like this: {"Hostname":"win_template.nxlog.matej","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":214127,"ProcessID":644,"ThreadID":3508,"Channel":"Security","Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN_TEMPLATE$\r\n\tAccount Domain:\t\tNXLOG\r\n\tLogon ID:\t\t0x241DC39F\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-18","TargetUserName":"WIN_TEMPLATE$","TargetDomainName":"NXLOG","TargetLogonId":"0x241dc39f","LogonType":"3","senderversion":"3.5.563"} I would like to make the log look like this: {"senderversion":"3.5.563","Hostname":"win_template.nxlog.matej","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":214127,"ProcessID":644,"ThreadID":3508,"Channel":"Security","Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN_TEMPLATE$\r\n\tAccount Domain:\t\tNXLOG\r\n\tLogon ID:\t\t0x241DC39F\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-18","TargetUserName":"WIN_TEMPLATE$","TargetDomainName":"NXLOG","TargetLogonId":"0x241dc39f","LogonType":"3"}

There is no way to sort the fields currently that I know of. Not without re-writing the JSON with xm_perl or similar.
Though if this field is pretty static, you could do something like the following after your to_json() directive:
Exec $raw_event =~ s/^{/{"senderversion":"3.5.563",/;

This should rewrite the first open bracket to include your value using regex substitution.